DevOps Classroomnotes 25/Aug/2022

DevSecOps

  • This is the practice that involves security earlier in SDLC.
  • To implement DevSecOps, Organizations consider variety of applications security tools (AST) to integrated with various stages of CI/CD Process. Commonly used AST tools include
  • SCA (Software Composition Analysis)
  • SAST (Static Application Security Testing)
  • DAST (Dynamic application security Testing)

Software Compostion Analysis (SCA)

  • SCA tools scan source code and binaries to identify known vulnerabilities in open source and third-party components.
  • They also provide insight into security and license risks.

Static application Security Testing (SAST)

  • These tools scan propietary code or custom code for coding errors and design flaws that could lead to exploitable weakness.

Dynamic Application Security Testing (DAST)

  • DAST is automated opaque black box testing technology that mimics how a hacker could interact with your web application or API.
  • This tests application over a network connection & by examining the client side rendering of application.

DevSecOps Tools

  • Aqua Security:
    • Used with cloud-native applications i.e cloud native application protection platform (CNAPP).
    • This is very popular for kubernetes, serverless, container security etc
    • Refer Here for the offical web page for aqua security
  • Checkmarx:
    • This is very popular is application security testing (AST).
    • We can perform
      • SCA
      • SAST
      • Interactive Application Secirity testing
    • Refer Here for the official web page for CheckMarx
  • Micro Focus Cyber Res Fortify:
    • This is very popular in IDE scanning of the code and they offer different products around
      • SAST
      • DAST
      • SCA
    • Refer Here for the official web page for Fortity
  • Synopsys:
    • AST tools include SCA, interactive,DAST and SAST
    • Refer Here for the official web page
  • Veracode:
    • This is cloud solution provider for SAST
    • Refer Here for veracode
  • WhiteSource:
    • This offers SAST, dependecy scanning and risk exposure
    • Refer Here for official web page
  • OWASP ZAP:
    • This is from OWASP community which is opensource.
    • Automated active and passive scanning of web applications for vulnerabilities
    • This is DAST testing
    • Refer Here for the official pages for OWASP ZAP

Integrating Security To CI/CD Pipelines

  • Overview of Integration

Terms To Be Understood

  • OWASP
  • OWASP TOP 10
  • SIEM
  • NVD
  • CVE
Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Customized Social Media Icons from Acurax Digital Marketing Agency

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%